Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
INF1
New Contributor

Multiple Interface

Hi All,

 

We have a requirement to add multiple interface ports in Access Policies. Is it ok or are there any issues observed like address spoofing , or any routing issue or its perfectly fine to add multiple interface in source and destination part of the access policies for same set of source and destination IP subnets ? #300D #MultipleInterface

3 REPLIES 3
Bracepil
New Contributor

The Java programming language supports multiple inheritance of type, which is the ability of a class to implement more than one interface. An object can have multiple types: the type of its own class and the types of all the interfaces that the class implements.

sw2090
Honored Contributor

if it is different interfaces then I would recommend to add them all to one zone. Then you just need access policies that use the zone as destination or source interface.

Makes life much more easier :)

The only caveat is that the interfaces themselves can no longer be used in policies on their own once added to a zone. And you have to remove all references before you can add an interface to a zone.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Debbie_FTNT
Staff
Staff

Hey INF1,

in principle, routing is separate from policies.

As an example, if you have one policy from lan interface to two destination interfaces, dmz, and voice, with two destination addresses, dmz-range and voice-range

-> FortiGate will allow access from lan to dmz-range and voice-range

-> FortiGate will route traffic to dmz-range and voice-range per its routing table, and not start sending traffic for voice-range to the dmz interface even though technically the policy would allow it.

 

You can enable multiple interface policies under System > Feature Visibility, but do note that enabling this will disable the interface-pair view in policies (all policies from lan to dmz under one heading, all policies from lan to voice under another heading).

If you have a large number of policies, the result can be somewhat confusing.

You can have a look as to how the policies would display by switching to 'By Sequence' in the upper right corner of your policy view.

Debbie_FTNT_0-1651046749464.png

If you find the policies difficult to navigate, zones may in fact be the better solution. The same applies there - FortiGate will route traffic per its routing table, even if policies technically allow for different flow.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors